My OSX PF.conf rules

Posted on August 24, 2012

I absolutely love that PF is the default firewall in OSX Lion and above. It makes me feel so much more confident given the port soup Apple likes to run on OSX. It can be tough to find good examples of PF configs on OSX, though, so here's mine for my MBP:


#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
set skip on lo
scrub in

nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

#############
# Variables #
#############

ext_if="en1"
loop_if="lo0"

icmp_types    = "echoreq"
torrent_ports = "{ 49164, 6881 }"
irc_ports     = "{ 6668 }"
dhcp_ports    = "{ 68, 67 }"

############
# Defaults #
############

block in
pass out all

#####################
# Selective Traffic #
#####################

# torrents
pass in quick on $ext_if proto { tcp, udp } to ($ext_if) port $torrent_ports flags S/SA keep state

# ssh
pass in quick on $ext_if proto tcp to ($ext_if) port ssh

# echo
pass in quick inet proto icmp all icmp-type $icmp_types

# dhcp
pass quick proto { tcp, udp } to port $dhcp_ports flags S/SA keep state

comments powered by Disqus